Ok, thanks, I figured it out. I put it in it's own folder and it seemed to work.
AVG showed a new virus today along with the previous one "Backdoor.Agent.BA"
This one says "trojan horse virus Downloader.Delf.6.V" under the file name "msshed32.exe"
Here is the log from the findit prog.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Find-It\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 5C37-B14E
Directory of C:\WINDOWS\System32
01/14/2005 09:45 PM <DIR> dllcache
01/05/2005 04:52 PM 32 {ABCB3E21-D9C6-46DE-8254-D5A092D59F70}.dat
12/28/2004 11:44 AM 159,582 3n5pi.exe
12/22/2004 10:31 PM 228,777 kbrr.sys
12/22/2004 10:31 PM 360,444 jc6eta.dll
12/22/2004 10:31 PM 201,631 o0eb0.exe
10/28/2002 10:28 AM <DIR> Microsoft
5 File(s) 950,466 bytes
2 Dir(s) 64,657,981,440 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is HP_PAVILION
Volume Serial Number is 5C37-B14E
Directory of C:\WINDOWS\System32
01/14/2005 09:45 PM <DIR> dllcache
01/05/2005 04:52 PM 32 {ABCB3E21-D9C6-46DE-8254-D5A092D59F70}.dat
12/28/2004 11:44 AM 159,582 3n5pi.exe
12/22/2004 10:31 PM 228,777 kbrr.sys
12/22/2004 10:31 PM 360,444 jc6eta.dll
12/22/2004 10:31 PM 201,631 o0eb0.exe
10/28/2002 09:34 AM 488 logonui.exe.manifest
10/28/2002 09:34 AM 488 WindowsLogon.manifest
10/28/2002 09:34 AM 749 sapi.cpl.manifest
10/28/2002 09:34 AM 749 nwc.cpl.manifest
10/28/2002 09:34 AM 749 wuaucpl.cpl.manifest
10/28/2002 09:34 AM 749 ncpa.cpl.manifest
10/28/2002 09:34 AM 749 cdplayer.exe.manifest
12 File(s) 955,187 bytes
1 Dir(s) 64,657,977,344 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is HP_PAVILION
Volume Serial Number is 5C37-B14E
Directory of C:\WINDOWS\System32
------ Temp Files in System32 Directory ------
Volume in drive C is HP_PAVILION
Volume Serial Number is 5C37-B14E
Directory of C:\WINDOWS\System32
08/29/2002 11:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 64,657,977,344 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"YPC 3.0.3"="Yahoo! Parental Controls"
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------- Locate.com Results -------------
C:\WINDOWS\SYSTEM32\
3n5pi.exe Tue Dec 28 2004 11:44:50a ..SHR 159,582 155.84 K
jc6eta.dll Wed Dec 22 2004 10:31:22p ..SHR 360,444 351.99 K
kbrr.sys Wed Dec 22 2004 10:31:22p ..SHR 228,777 223.41 K
o0eb0.exe Wed Dec 22 2004 10:31:22p ..SHR 201,631 196.90 K
{abcb3~1.dat Wed Jan 5 2005 4:52:14p A.SH. 32 0.03 K
5 items found: 5 files, 0 directories.
Total of file sizes: 950,466 bytes 928.19 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
C:\WINDOWS\system32\OutLook.exe: .aspack
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\""
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"